dragon2025 2016-10-08 16:18
浏览 92
已采纳

这个php脚本是否可以安全地在我的网站中使用?

I want to protect some content in my site with a password and I am thinking in using this php script

Do you think is a good way to go?

Do you know something better for this task or a way to improve ( if needed) thin one ?

The code to load the content from the database is :

<?php


error_reporting(0);
include("config.php");


if (!isset($_REQUEST["p"])) {

    echo 'document.write("<div id=\"protected_'.intval($_REQUEST["id"]).'\">");';
    echo 'document.write("<form onsubmit=\'return LoadContent(\"'.intval($_REQUEST["id"]).'\",\"protected_'.intval($_REQUEST["id"]).'\",document.getElementById(\"pass_'.intval($_REQUEST["id"]).'\").value); return false;\'\"><input type=\'password\' size=\'30\' placeholder=\'Content is protected! Enter password.\' id=\"pass_'.intval($_REQUEST["id"]).'\"></form>");';
    echo 'document.write("</div>");';

} else {

    $sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE `id`='".intval($_REQUEST["id"])."' AND password='".mysql_real_escape_string($_REQUEST["p"])."'";
    $sql_result = mysql_query ($sql, $connection ) or die ('request "Could not execute SQL query" '.$sql);

    if (mysql_num_rows($sql_result)==1) {
        $row = mysql_fetch_assoc($sql_result);
        echo $row["content"];
    } else {
        echo 'Wrong password';  
    }

}

?>
  • 写回答

1条回答 默认 最新

  • doushan6161 2016-10-08 18:06
    关注

    As I said in comments, you shouldn't be spending anymore time with what you downloaded since it's old and not safe.

    You may be saving passwords in plain text which is definitely not a good idea.

    • It's time to step into the 21st century.

    The mysql_ API is in deprecation and has been deleted from PHP 7.0 entirely.

    You are best to use a prepared statement and password_hash() or the compatibility pack.

    Here are a few references:

    N.B. The use of mysql_real_escape_string() does not fully guarantee protection against a possible SQL injection.

    Consult the following Q&A on the subject:

    Here is a piece of code pulled from one or ircmaxell's answers which uses a (PDO) prepared statement and password_hash().

    Pulled from: https://stackoverflow.com/a/29778421/1415724

    Just use a library. Seriously. They exist for a reason.

    Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

    $dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

    And on login:

    $sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 vue3页面el-table页面数据过多
  • ¥100 vue3中融入gRPC-web
  • ¥15 kali环境运行volatility分析android内存文件,缺profile
  • ¥15 写uniapp时遇到的问题
  • ¥15 vs 2008 安装遇到问题
  • ¥15 matlab有限元法求解梁带有若干弹簧质量系统的固有频率
  • ¥15 找一个网络防御专家,外包的
  • ¥100 能不能让两张不同的图片md5值一样,(有尝)
  • ¥15 informer代码训练自己的数据集,改参数怎么改
  • ¥15 请看一下,学校实验要求,我需要具体代码